Jordan Vit Jordan Vit - 7 months ago 8
SQL Question

Wrong password when register but working when change it whit bcrypt

I found something wired on my system regarding user registration and password. When I make new user I hashed his password via bcrypt. Everything is saved into database but lately I found that I can't login whit newly created users. Something is wrong with password I guess.

Strange but when I go with this user on Forgotten password and add new password I'm able to log in.. both user registration and forgotten password use same hash system. This is registration process and how password is saved:

This -> I can't login after registration.

// included db connection, password hash file etc..

//hash the password
$hashedpassword = $user->password_hash($_POST['user_password'], PASSWORD_BCRYPT);

if(!isset($error)){

try {

$stmt = $pdo->prepare('INSERT INTO users (user_username, user_password, user_email) VALUES (:user_username, :hashedpassword, :user_email)');

$stmt->execute(array(
':user_username' => $_POST['user_username'],
':hashedpassword' => $hashedpassword,
':user_email' => $_POST['user_email']
));

} catch(PDOException $e) {
var_dump ($e->getMessage());
exit;
}
}
// html part
<div class="form-group">
<label class="control-label col-sm-2" for="password">Password:</label> private function get_user_hash($username){

try {
$stmt = $this->_db->prepare("SELECT user_password FROM users WHERE user_username = :username AND active='Yes'");
$stmt->execute(array('username' => $username));

$row = $stmt->fetch();
return $row['user_password'];

} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}

public function login($username,$password){

$hashed = $this->get_user_hash($username);

if($this->password_verify($password,$hashed) == 1){

$_SESSION['loggedin'] = true;
return true;
}
}
<div class="col-sm-10">
<input type="password" class="form-control" name="user_password" id="user_password" placeholder="Enter password">
</div>
</div>


Password reset. This -> I can login after password is changed.

if(!isset($error)){

//hash the password
$hashedpassword = $user->password_hash($_POST['user_password'], PASSWORD_BCRYPT);

try {

$stmt = $pdo->prepare("UPDATE users SET user_password = :hashedpassword, resetComplete = 'Yes', active='Yes' WHERE resetToken = :token");
$stmt->execute(array(
':hashedpassword' => $hashedpassword,
':token' => $row['resetToken']
));

//redirect to index page
header('Location: index.php?action=resetAccount');
exit;

//else catch the exception and show the error.
} catch(PDOException $e) {
$error[] = $e->getMessage();
}

}
<div class="input-group input-group-lg">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock red"></i></span>
<input type="password" class="form-control" name="user_password" id="user_password" placeholder="Enter your new password"/>
</div>
<div class="input-group input-group-lg">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock red"></i></span>

<input type="password" class="form-control" name="passwordConfirm" id="passwordConfirm" placeholder="Re-enter your new password" />
</div>


I don't see anything different. They both used same database connection, same database table, same password hashing file. I don't know what to do.

UPDATE: database field for password is
VARCHAR(120)
so it's have enough space for the hash. Also I'm sure before 1-2 weeks all worked perfectly because I have created some accounts.. I'm not changed anything and now I can't log..

UPDATE2:
user.php ..

include('password.php');
$pdo = Database::connect();
class User extends Password{

private $_db;

function __construct($pdo){
parent::__construct();

$this->_db = $pdo;
}
private function get_user_hash($username){

try {
$stmt = $this->_db->prepare("SELECT user_password FROM users WHERE user_username = :username AND active='Yes'");
$stmt->execute(array('username' => $username));

$row = $stmt->fetch();
return $row['user_password'];

} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}

public function login($username,$password){

$hashed = $this->get_user_hash($username);

if($this->password_verify($password,$hashed) == 1){

$_SESSION['loggedin'] = true;
return true;
}
}


index.php where is login form

//html part
<div class="input-group input-group-lg">
<span class="input-group-addon"><i class="glyphicon glyphicon-lock red"></i></span>

<input type="password" class="form-control" name="password" id="password" placeholder="password" />
</div>

// php part
// include database, user.php
if(isset($_POST['submit'])){

$username = $_POST['username'];
$password = $_POST['password'];

if($user->login($username,$password)){

$id=$user->login_user_id($username);// get user id
$permissions=$user->login_user_permissions($username);// get user role


$_SESSION['user_id'] = $id;// assing user_id to session
$_SESSION['user_username'] = $username;
$_SESSION['user_role'] = $permissions;
header('Location: admin/index.php');
exit;

} else {
header('Location: index.php');
echo '';

}
}

Answer

In your registration form you make this:

$stmt = $pdo->prepare('INSERT INTO users (user_username, user_password, user_email) VALUES (:user_username, :hashedpassword, :user_email)');

After this in the login form where you verify both passwords I noticed that you check select and check field active.. AND active='Yes'...

$stmt = $this->_db->prepare("SELECT user_password FROM users WHERE user_username = :username AND active='Yes'");

In password change part you updating this same field active='Yes'...

$stmt = $pdo->prepare("UPDATE users SET user_password = :hashedpassword, resetComplete = 'Yes', active='Yes' WHERE resetToken = :token");

So please check in registration form if you set or no this column in database. Or you put some default value?

Comments